P
US11368488B2ActiveUtilityPatentIndex 42

Optimizing a security configuration of a networked environment

Assignee: FORTINET INCPriority: Oct 25, 2019Filed: Oct 25, 2019Granted: Jun 21, 2022
Est. expiryOct 25, 2039(~13.3 yrs left)· nominal 20-yr term from priority
Inventors:NEDBAL MANUELAHUJA RATINDER PAUL SINGHAHLUWALIA MANOJGAITONDE JITENDRASREEDHAR RAJIVKALE OJAS MILINDLUBECK MARK RAYMONDCHENG YUK SUENRAJANNA SURESHADLER DAVID DVIRNOOL GARY
H04L 63/104H04L 63/1425H04L 63/105H04L 63/20
42
PatentIndex Score
0
Cited by
11
References
21
Claims

Abstract

Systems, methods, and apparatuses enable one or more security microservices to optimize a security configuration of a networked environment by applying security policies to resource groups passively to determine whether network sets, resource groups, or security policies should be modified, prior to active enforcement. When security policies are applied passively, security actions that are performed in response to a violation of security policy do not impact network traffic. The one or more security microservices evaluate the results of the passive application of security policies to determine whether there is at least one recommended modification to network sets, resource groups, or security policies. When there is at least one recommended modification, the modification is applied. When there are no recommended modifications or the recommended modifications have been performed, the one or more security microservices initiate active enforcement of at least a subset of the security policies on the network traffic.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method comprising:
 partitioning port groups into one or more network sets; 
 sampling network traffic associated with the one or more network sets; 
 creating one or more resource groups based on the sampling of the network traffic associated with the one or more network sets, wherein creating the one or more resource groups based on the sampling of the network traffic associated with the one or more network sets includes creating at least a first resource group corresponding to a first function and a second resource group corresponding to a second function; 
 applying one or more security policies to the one or more resource groups passively, wherein security actions associated with passively applied security policies do not affect the network traffic; 
 evaluating results of applying the one or more security policies to the one or more resource groups passively to determine whether there is at least one recommended modification to apply to the one or more network sets, the one or more resource groups, or the one or more security policies; 
 when there is at least one recommended modification, applying the at least one recommended modification to one or more of the network sets, the resource groups, or the security policies; and 
 when there is not at least one recommended modification, initiating active enforcement of at least a subset of the one or more security policies on the network traffic. 
 
     
     
       2. The computer-implemented method of  claim 1 , wherein initiating the active enforcement of the security policies on the network traffic comprises:
 enabling at least one security action that impacts network traffic associated with the resource groups in response to a violation of a security policy. 
 
     
     
       3. The computer-implemented method of  claim 1 , wherein applying the one or more security policies to the one or more resource groups passively comprises:
 applying the one or more security policies against live network traffic associated with the resource groups in a monitoring only mode. 
 
     
     
       4. The computer-implemented method of  claim 1 , wherein the at least one recommended modification includes modifying resource group members of a resource group. 
     
     
       5. The computer-implemented method of  claim 1 , wherein the at least one recommended modification includes increasing a predetermined amount of time for applying the one or more security policies to the one or more resource groups passively. 
     
     
       6. The computer-implemented method of  claim 1 , wherein the at least one recommended modification includes disabling a security policy. 
     
     
       7. The computer-implemented method of  claim 1 , wherein evaluating the results of applying the one or more security policies to the one or more resource groups includes comparing a number of results of at least one security policy to a threshold. 
     
     
       8. One or more non-transitory computer-readable storage media storing instructions which, when executed by one or more hardware processors, cause performance of a method comprising:
 partitioning port groups into one or more network sets; 
 sampling network traffic associated with the one or more network sets; 
 creating one or more resource groups based on the sampling of the network traffic associated with the one or more network sets, wherein creating the one or more resource groups based on the sampling of the network traffic associated with the one or more network sets includes creating at least a first resource group corresponding to a first function and a second resource group corresponding to a second function; 
 applying one or more security policies to the one or more resource groups passively, wherein security actions associated with passively applied security policies do not affect the network traffic; 
 evaluating results of applying the one or more security policies to the one or more resource groups passively to determine whether there is at least one recommended modification to apply to the one or more network sets, the one or more resource groups, or the one or more security policies; 
 when there is at least one recommended modification, applying the at least one recommended modification to one or more of the network sets, the resource groups, or the security policies; and 
 when there is not at least one recommended modification, initiating active enforcement of at least a subset of the one or more security policies on the network traffic. 
 
     
     
       9. The one or more non-transitory computer-readable storage media of  claim 8 , wherein initiating the active enforcement of the security policies on the network traffic comprises:
 enabling at least one security action that impacts network traffic associated with the resource groups in response to a violation of a security policy. 
 
     
     
       10. The one or more non-transitory computer-readable storage media of  claim 8 , wherein applying the one or more security policies to the one or more resource groups passively comprises:
 applying the one or more security policies against live network traffic associated with the resource groups in a monitoring only mode. 
 
     
     
       11. The one or more non-transitory computer-readable storage media of  claim 8 , wherein the at least one recommended modification includes modifying resource group members of a resource group. 
     
     
       12. The one or more non-transitory computer-readable storage media of  claim 8 , wherein the at least one recommended modification includes increasing a predetermined amount of time for applying the one or more security policies to the one or more resource groups passively. 
     
     
       13. The one or more non-transitory computer-readable storage media of  claim 8 , wherein the at least one recommended modification includes disabling a security policy. 
     
     
       14. The one or more non-transitory computer-readable storage media of  claim 8 , wherein evaluating the results of applying the one or more security policies to the one or more resource groups includes comparing a number of results of at least one security policy to a threshold. 
     
     
       15. An apparatus comprising:
 one or more hardware processors; 
 memory coupled to the one or more hardware processors, the memory storing instructions which, when executed by the one or more hardware processors, causes the apparatus to:
 partition port groups into one or more network sets; 
 sample network traffic associated with the one or more network sets; 
 create one or more resource groups based on the sampling of the network traffic associated with the one or more network sets, wherein creating the one or more resource groups based on the sampling of the network traffic associated with the one or more network sets includes creating at least a first resource group corresponding to a first function and a second resource group corresponding to a second function; 
 apply one or more security policies to the one or more resource groups passively, wherein security actions associated with passively applied security policies do not affect the network traffic; 
 evaluate results of applying the one or more security policies to the one or more resource groups passively to determine whether there is at least one recommended modification to apply to the one or more network sets, the one or more resource groups, or the one or more security policies; 
 when there is at least one recommended modification, apply the at least one recommended modification to one or more of the network sets, the resource groups, or the security policies; and 
 when there is not at least one recommended modification, initiate active enforcement of at least a subset of the one or more security policies on the network traffic. 
 
 
     
     
       16. The apparatus of  claim 15 , wherein initiating the active enforcement of the security policies on the network traffic further causes the apparatus to:
 enable at least one security action that impacts network traffic associated with the resource groups in response to a violation of a security policy. 
 
     
     
       17. The apparatus of  claim 15 , wherein applying the one or more security policies to the one or more resource groups passively further causes the apparatus to:
 apply the one or more security policies against live network traffic associated with the resource groups in a monitoring only mode. 
 
     
     
       18. The apparatus of  claim 15 , wherein the at least one recommended modification includes modifying resource group members of a resource group. 
     
     
       19. The apparatus of  claim 15 , wherein the at least one recommended modification includes increasing a predetermined amount of time for applying the one or more security policies to the one or more resource groups passively. 
     
     
       20. The apparatus of  claim 15 , wherein the at least one recommended modification includes disabling a security policy. 
     
     
       21. The apparatus of  claim 15 , wherein evaluating the results of applying the one or more security policies to the one or more resource groups includes comparing a number of results of at least one security policy to a threshold.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.